Free photos and graphics platform, Freepik has admitted it became a victim of a major security breach which may have affected over 8.3 million users. In a security alert, the company stated that hackers unauthorizedly obtained emails and hashed passwords of its Freepik and Flaticon website users.
Attack via SQL Injection
The data leak occurred after attackers exploited an SQL injection vulnerability to gain access to one of its databases that held users’ data.
“We determined that an attacker extracted the email and, when available, the hash of the password of the oldest 8.3M users,” Freepik said in a statement. The company also clarified that the obtained hash of the passwords are not actual passwords and cannot be used to log into user accounts.
According to Freepik, of 8.3 million users, 4.5 million had no hashed password as they used combined logins (with Google, Facebook and/or Twitter), and the only data the attackers may have obtained from them was their email address. The rest of the 3.77 million users had their email addresses and passwords compromised. “For 3.55M of these users, the method to hash the password is bcrypt, and for the remaining 229K users the method was salted MD5. Since then we have updated the hash of all users to bcrypt,” the statement added.
Notifying the Affected
The company has reported the breach incident to the authorities and are notifying the affected users. “Those who had a password hashed with salted MD5 got their password canceled and have received an email to urge them to choose a new password and to change their password if it was shared with any other site (a practice that is strongly discouraged). Users who got their password hashed with bcrypt received an email suggesting them to change their password, especially if it was an easy to guess password. Users who only had their email leaked were notified, but no special action is required from them,” Freepik added.